Silicon Valley freeze-out: EU watchdog tells firms clock is ticking to limit data transfers Companies have been put on notice by Brussel's top privacy bod, who has warned them that the transfer of EU citizens' data to the US must be limited – and this must happen soon. It comes several weeks after a landmark decision in the European Court of Justice nullified the questionable US-EU Safe Harbour Agreement. "No one …
"Why wait, it should have been unlawful as soon as the decision was released."
When laws that result in significant amounts of work for compliance are introduced or repealed, it is reasonable to have a grace period. If a government votes for new accounting rules, they don't say "and they'll come in tomorrow. Why? Fuck you, that's why." They give people time to adjust.
Credit and debit card fraud protection relies heavily on monitoring usage patterns. I have had my US bank call me on my cell phone when they thought the pattern was suspicious. They were seeing the transaction in real time and in one case blocked it. Since this type of data monitoring is internal to the bank and is to protect their customer this should be legal everywhere.
The issue is using surfing data with other personal data to build up a profile for advertising without the users consent.
They can collect data from the US, if you use your card there, or with a company based there, but they can't store or analyse the data there.
That's fine for dealing with your account. However, to work out that for example everyone who purchased tickets from Heathrow Express over a certain period had fraudulent transactions on their account afterwards, as happened many years ago, and therefore Heathrow Express must be having problems with their security, that would involve analysing data from people in many different countries. If you look at just the UK data, you might have found that most of them had also purchased from Tesco, but bring in the international data, and you will be able to pinpoint the source much better.
@jonathanb
I don't think that's the case. Look at article 7 of section II:
https://www.dataprotection.ie/viewdoc.asp?m=&fn=/documents/legal/6aii-2.htm#7
"(d) processing is necessary in order to protect the vital interests of the data subject, or"
for example. If the data centre collecting the credit card usage information for fraud protection purposes is outside the EU, then I believe it is fine, since the collection point is outside the EU.
The issue at question, though is data transfers, that is, data that is collected in the EU/EEA and transferred out. http://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm
So look at the FAQs on the transfers site - the steps are quite complex, but even if the CC data has been gathered within the EU, it can be transferred within the same company for the use of fraud prevention. It does get tricky when you have to look at each individual data transfer and the components of it.
'"No one wants to see data transfers to stop completely," head of the European Union's Article 29 Working Party, Isabelle Falque-Pierrotin, told Reuters.'
Why does she think she's talking for everyone. There's no good reason why transfer of data to the US should continue except for transfers for specific cross-Atlantic business transactions initiated by the data subject.
The World today is full of such questions...
Finally, there’s the most important aspect of IBM’s identical Big Data approaches to death and customer service: Both are extremely powerful systems that have escaped any kind of human, democratic control. As Ellsberg puts it, the drone study is “unintelligible to anyone who might ask, ‘to what end is all this?’ or ‘do we have the right to be doing this?’ or ‘is this making us more secure, in the mid- to long-term, or on balance less so?’ or ‘is this creating more people who hate us — including the families of EKIAs (unintended victims) — and wish to harm us, than it is eliminating?’”
Not sure I completely understand what this all means, really. I'm gonna take a guess and hope for some feedback.
U.S. listed company Facebook (FB) have users who are Croatian (member of the EU), and live in Croatia. To comply, Facebook must have (a presence) servers in Croatia where all registered information of the users is stored. However, only a small amount of that registered information may be stored on Facebook servers in the U.S.
What information is limited?
Is it only registered information?
[ Maybe I should do some Yahoo!ing™ a bit more? ]
What about 'in transit information?'
What about cached 'in transit information?'
How much of 'in transit information' can be stored on U.S. servers? And for how long?
I'd think that many of details of interpreting the law (the data protection directive and related) are yet to end up in the ECJ and before that we strictly speaking don't know what the authoritative interpretation is. In the meantime you could do worse than take a look at Max Schrems' take on some key issues:
http://www.europe-v-facebook.org/EN/Complaints/PRISM/Response/response.html
@Pseu Donyme
Thanks for the link.
So basically, you cannot trust any US-based company since they are not permitted, by US law, to admit that they transfer data to the NSA. This includes any non-US company that uses a storage facility in the US or a storage facility operated by a US company (e.g. Amazon, Google, Microsoft clouds).
Erm, right?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
